Data Processing Addenum
Data Processing Addendum (DPA)
This Data Processing Addendum (“Addendum”) forms part of the [Service Agreement] (“Agreement”) between [Company Name] (the “Company” or “Data Processor”) and [Customer Name] (the “Customer” or “Data Controller”) to ensure compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) (EU 2016/679).
1. Definitions
1.1 Data Controller: The entity that determines the purposes and means of processing personal data.
1.2 Data Processor: The entity that processes personal data on behalf of the Data Controller.
1.3 Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”) as defined under GDPR.
1.4 Processing: Any operation or set of operations performed on Personal Data, such as collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, or erasure.
1.5 Sub-Processor: Any third party appointed by the Data Processor to process Personal Data.
1.6 Data Protection Laws: All applicable privacy and data protection laws, including but not limited to the GDPR.
2. Processing of Personal Data
2.1 Purpose: The Data Processor agrees to process the Personal Data solely for the purposes set forth in the Agreement and only in accordance with the documented instructions of the Data Controller unless required to do otherwise by EU or EU Member State law.
2.2 Types of Personal Data: The types of personal data to be processed by the Data Processor may include but are not limited to [specify types of data, e.g., contact information, billing information, etc.].
2.3 Categories of Data Subjects: The categories of data subjects whose personal data is processed under this Addendum may include, but are not limited to, [specify categories, e.g., employees, end-users, etc.].
2.4 Duration of Processing: The processing of personal data will last for the duration of the Agreement unless otherwise agreed upon or required by law.
3. Data Processor’s Obligations
3.1 Compliance with Laws: The Data Processor shall comply with all applicable data protection laws and regulations, including but not limited to GDPR.
3.2 Confidentiality: The Data Processor shall ensure that all personnel authorized to process personal data are subject to obligations of confidentiality.
3.3 Security Measures: The Data Processor shall implement appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures include [describe security measures, e.g., encryption, pseudonymization, etc.].
3.4 Data Breach Notification: The Data Processor shall notify the Data Controller without undue delay, and in any event within 72 hours, upon becoming aware of a data breach affecting the personal data.
3.5 Data Protection Impact Assessments: The Data Processor will provide assistance to the Data Controller, where necessary, for the completion of data protection impact assessments and prior consultations with regulatory authorities.
4. Data Controller’s Obligations
4.1 Compliance: The Data Controller represents and warrants that it complies with its obligations under the GDPR, including having a lawful basis for the collection, use, and processing of personal data.
4.2 Instructions: The Data Controller will provide documented instructions to the Data Processor regarding the processing of personal data and ensure these instructions comply with applicable law.
4.3 Third-Party Use: The Data Controller will notify the Data Processor if any third-party services are used in the processing of personal data. The Data Controller remains responsible for ensuring these third parties comply with applicable data protection laws.
5. Sub-Processing
5.1 Authorization of Sub-Processors: The Data Processor shall not engage any sub-processor without the prior written consent of the Data Controller. A list of approved sub-processors is attached as Annex A.
5.2 Liability for Sub-Processors: The Data Processor shall remain fully liable for any processing activities performed by sub-processors in breach of this Addendum.
5.3 Contractual Obligations: The Data Processor shall ensure that any sub-processor is bound by similar contractual obligations regarding data protection and security as set forth in this Addendum.
6. International Data Transfers
6.1 Transfer Restrictions: The Data Processor shall not transfer Personal Data outside of the European Economic Area (EEA) without ensuring appropriate safeguards in compliance with Chapter V of GDPR, such as standard contractual clauses or binding corporate rules.
7. Data Subject Rights
7.1 Assistance with Requests: The Data Processor will assist the Data Controller in responding to any request from a data subject to exercise their rights under GDPR, including the right to access, rectify, or erase personal data, or to restrict or object to its processing.
8. Data Return and Deletion
8.1 Return or Deletion: Upon termination or expiration of the Agreement, the Data Processor shall, at the Data Controller’s election, either delete or return all personal data in its possession unless required by law to retain such data.
9. Audits
9.1 Audit Rights: The Data Controller shall have the right to audit the Data Processor’s compliance with this Addendum, upon reasonable notice and during normal business hours. The Data Processor shall cooperate fully with any such audits.
10. Liability
10.1 Indemnity: The Data Processor shall indemnify the Data Controller for any fines or claims arising from the Data Processor’s breach of this Addendum, to the extent permitted under applicable law.
11. Governing Law and Jurisdiction
11.1 This Addendum shall be governed by and construed in accordance with the laws of Sweden, and the parties submit to the exclusive jurisdiction of the courts of Gothenburg, Sweden.
12. Miscellaneous
12.1 Severability: If any provision of this Addendum is found to be invalid or unenforceable, the remainder of the Addendum shall remain valid and enforceable.